Insurer cyber security practices eyed

U.S. regulators are trying to mandate that insurers take more aggressive action to protect consumer data from cyber attacks, but experts question whether requirements are too onerous and fail to resolve the problem of inconsistent state laws and regulations.

The cyber security task force of the National Association of Insurance Commissioners in August released an updated draft Insurance Data Security Model Law that will likely be on the NAIC’s agenda for consideration and possible approval at its fall national meeting in Miami in December.

The model law would establish standards for data security and investigation and notification of a data breach and would apply to licensees, which include not just insurers, but agents, brokers and other parties. It would require these organizations to create a comprehensive written information security program that details the administrative, technical and physical safeguards for protecting personal information.

It would also require a licensee’s board of directors to approve and oversee implementation of the program and compliance with the law.

NAIC’s intention in developing this model law is to establish more uniformity across state laws and regulations, but that objective is somewhat undermined by the fact that the draft specifically states that it does not supersede existing state laws or regulations, experts say.

Currently, 47 states and the District of Columbia have varying requirements for breach notification, so the Property Casualty Insurers Association of America is supportive of the concept of a model law that achieves uniformity. But this draft merely layers requirements on top and does not pre-empt them, said Robert Woody, PCI’s senior counsel for policy in Washington.

“If you’re not going to achieve uniformity, then our view is there’s no point in doing it at all because you already have state laws on the books that address this,” he said. “That’s a major point of contention.”

The current draft has a very broad definition of personal information requiring protection and removed a “substantial harm” trigger for breach notification, meaning there’s no requirement to focus on breaches that would lead to identify theft or fraud issues, experts say.

The revised draft also reduces the time licensees have to notify regulators of a data breach from five business days to three, which may not be enough time for companies still trying to figure out the answers to basic questions such as how the breach occurred — answers regulators will want — said Theodore Augustinos, a Hartford, Connecticut-based partner with Locke Lord L.L.P.

“It is an admirable and much-needed effort, but it does have some flaws, and I think the industry has been very vigilant and helpful in pointing out some of those flaws, and I would hope that the NAIC responds to those concerns,” he said.

The NAIC’s model law isn’t as stringent as New York state’s recently proposed regulations, experts say.

In September, the New York State Department of Financial Services released for public comment a draft of its Cybersecurity Requirements for Financial Services Companies regulation.

The stringency of New York’s regulations has raised concerns because insurers, if they cannot segregate New York

customer data from common platforms, will essentially be forced to comply with the most onerous regulations and apply that across the United States, barring significantly higher costs in doing so, said

The New York draft regulation — set to take effect Jan. 1, 2017 — would require that a chief information security officer be appointed and report at least biannually on cyber security issues to the board of directors or its equivalent, but a February 2015 report by the department showed that only 14% of insurer CEOs receive monthly briefings on information security.

“That is a significant elevation of the attention that boards need to focus on this issue,” said Christopher Boehning, a New York-based partner with Paul, Weiss, Rifkind, Wharton & Garrison L.L.P.